Non-Verified User can Submit Report,View Disclosed Reports | Secuna Bug Bounty

Details:

it’s Cold Afternoon at the Manila Bulletin while enjoying my Iced Mocha from Paper + Cup.

I currently have 2 Accounts at Secuna
https://app.secuna.io/ctulhu – Verified
https://app.secuna.io/imongmama – Not Verified

As a Verified user in Secuna you should be able to update your profile,submit reports,view disclosed reports and update payout method meanwhile if your account is not verified you should not be able to submit reports, view disclosed reports, update your profile and etc.

If you login using your non-verified secuna account you will be only redirected to https://app.secuna.io/account-verification

Since i already mapped out Secuna’s GraphQL Endpoint (https://app.secuna.io/static/js/main.80713d8f.chunk.js)
Sample GraphQL Request:

POST /api/graphql HTTP/1.1
Host: app.secuna.io
content-type: application/json
authorization: Bearer

{"operationName":"updateAboutHackerProfile","variables":{"bio":"meh","location":"Philippines","website":"https://ctulhu.me"},"query":"mutation updateAboutHackerProfile($bio: String!, $location: String, $website: String) {\n updateAboutHackerProfile(bio: $bio, location: $location, website: $website) {\n bio\n location\n socialMedia {\n github\n website\n facebook\n linkedin\n instagram\n }\n }\n}\n"}

This will Update our Bio to meh Location to Philippines Website to https://ctulhu.me
the Operation is set to “mutation” which will write followed by a fetch of Bio,location,socialmedia,github,website etc.

in GraphQL there are 3 types of operations:

1.) query – a read‐only fetch.
2.) mutation – a write followed by a fetch.
3.) subscription – a long‐lived request that fetches data in response to source events.

Each operation is represented by an optional operationName and a selection set.
If we send the above Request, We will receive the Response Below.

{"data":{"updateAboutHackerProfile":{"bio":"meh","location":"Philippines","socialMedia":{"facebook":null,"github":null,"instagram":null,"linkedin":null,"website":"https://ctulhu.me"}}}}

Secuna’s Response:

Bounty : 100$
Report : https://app.secuna.io/submission/7db2182e-e5c4-4a44-909e-2a11ee718793